Sorry about previous message, got tangled in my addresses.
-------- Original Message --------
Hi Anahide,
Thanks for your answer. Here are my config files.
I think I need another directory definition for my posixGroups (as per
the tests config (src)) but would like a confirmation before digging
into it.
Thanks.
Patrick
> Hi,
> There is some documentation available here:
> http://doc.nuxeo.org/5.1/books/nuxeo-book/html/chapter-directories.html#ldap-directories
> But given what you're saying, it looks like you're in the good
> direction. Maybe copying here your configuration that doesn't behave
> as expected would help figuring out the problem.
>
> Regards,
>
>
Original message from Patrick
> Still configuring my Ldap for production usage. For my group creation
> > problem (with attributes with set values), I'll post a patch in jira soon.
> >
> > I'm trying to achieve subGroups (group of group in fact). Looking at the
> > examples and the test configs, I realise I have to use ldapReference
> > and/or ldapReferenceTree, but I can't figure out how exactly to do it yet.
> >
> > My nuxeo managed groups have objectClass "gosaGroupOfNames" with
> > attribute "member = uid=username,dc=example,dc=com" for members.
> > I can put our general group in there "member =
> > cn=personGroup,ou=Groups,dc=example,dc=com".
> >
> > Unfortunatly, nuxeo can't see the members of those groups.
> >
> > My internal groups have objectClass of "posixGroup" and the members are
> > identified with "memberUid = myUid".
> >
> > Should I create another "directory" element to configure the lookup of
> > group members? Should I put a specific value in dynamicAttributeId of
> > ldapReference? Should I user ldapTreeReference?
> >
> > To put things in context, our ldap is OpenLdap, managed with GOsa
> > (https://oss.gonicus.de/labs/gosa/) and is structured around posixGroup.
> >
> > Thanks for any help in sorting this out.
> >
> > Patrick Turcotte
> > Revolution Linux
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.groups">
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation
class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups LDAP directory for users is required to make this bundle work -->
<require>org.nuxeo.ecm.directory.ldap.storage.users</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="groupDirectory">
<!-- Reuse the default server configuration defined for userDirectory -->
<server>default</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>dc=example,dc=com</searchBaseDn>
<!--
<searchFilter></searchFilter>
-->
<searchFilter>(|(objectClass=posixGroup)(objectClass=gosaGroupOfNames))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=Group,ou=nuxeo,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<!--
<creationClass>groupOfUniqueNames</creationClass>
-->
<creationClass>gosaGroupOfNames</creationClass>
<attributesWithValues name="gosaGroupObjects">[U]</attributesWithValues>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<!-- LDAP reference resolve DNs embedded in uniqueMember attributes
If the target directory has no specific filtering policy, it is most
of the time not necessary to enable the 'forceDnConsistencyCheck' policy.
Enabling this option will fetch each reference entry to ensure its
existence in the target directory.
-->
<ldapReference field="members" directory="userDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<ldapReference field="subGroups" directory="groupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="groupDirectory" dualReferenceField="subGroups" />
</references>
</directory>
</extension>
</component>
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.users">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<!-- the groups SQL directories are required to make this bundle work -->
<require>org.nuxeo.ecm.directory.sql.storage</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="servers">
<!-- Configuration of a server connection
A single server declaration can point to a cluster of replicated
servers (using OpenLDAP's slapd + sluprd for instance). To leverage
such a cluster and improve availibility, please provide one
<ldapUrl/> tag for each replica of the cluster.
-->
<server name="default">
<ldapUrl>ldap://ldap-pturcotte.example.com:389</ldapUrl>
<!--
<ldapUrl>ldaps://ldapdmz.example.com:636</ldapUrl>
-->
<!-- Optional servers from the same cluster for failover
and load balancing:
<ldapUrl>ldap://server2:389</ldapUrl>
<ldapUrl>ldaps://server3:389</ldapUrl>
"ldaps" means TLS/SSL connection.
-->
<!-- Credentials used by Nuxeo5 to browse the directory, create
and modify entries.
Only the authentication of users (bind) use the credentials entered
through the login form if any.
-->
<bindDn>uid=nuxeoadmin,ou=People,ou=nuxeo,dc=example,dc=com</bindDn>
<bindPassword>changeme</bindPassword>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="userDirectory">
<server>default</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=People,dc=example,dc=com</searchBaseDn>
<searchClass>person</searchClass>
<!-- To additionally restricte entries you can add an
arbitrary search filter such as the following:
<searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>
Beware that "&" writes "&" in XML.
-->
<!-- use subtree if the people branch is nested -->
<searchScope>onelevel</searchScope>
<!-- using 'subany', search will match *toto*. use 'subfinal' to
match *toto and 'subinitial' to match toto*. subinitial is the
default behaviour-->
<substringMatchType>subany</substringMatchType>
<readOnly>false</readOnly>
<!-- comment <cache* /> tags to disable the cache -->
<!-- cache timeout in seconds -->
<cacheTimeout>3600</cacheTimeout>
<!-- maximum number of cached entries before global invalidation -->
<cacheMaxSize>1000</cacheMaxSize>
<!--
If the id field is not returned by the search, we set it with the searched entry, probably the login.
Before setting it, you can change its case. Accepted values are 'lower' and 'upper',
anything else will not change the case.
-->
<missingIdFieldCase>lower</missingIdFieldCase>
<!-- Maximum number of entries returned by the search -->
<querySizeLimit>200</querySizeLimit>
<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
<queryTimeLimit>0</queryTimeLimit>
<creationBaseDn>ou=People,dc=example,dc=com</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">uid</fieldMapping>
<fieldMapping name="password">userPassword</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">o</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="groupDirectory"
dualReferenceField="members" />
</references>
</directory>
</extension>
</component>
_______________________________________________
ECM mailing list
[email protected]
http://lists.nuxeo.com/mailman/listinfo/ecm
To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
